Bulletin — March 2026

March condenses three readings. Supply chain: TeamPCP first compromises Trivy and uses it to reach the PyPI credentials of the LiteLLM maintainer, shipping versions 1.82.7 and 1.82.8 with a three-stage payload. Defensive: Patch Tuesday lands without zero-days under active attack, but the month’s CVSS 9.8 is signed by XBOW, an autonomous AI agent, against the Microsoft Devices Pricing Program. Offensive: MCPwn (CVE-2026-33032) lands as an auth bypass in nginx-ui with 2,600 instances exposed on Shodan, patch on 15 March, KEV entry to follow. In parallel, Mandiant M-Trends 2026 publishes the quarter’s data point, 22 seconds between initial access and handoff to ransomware in some 2025 cases, and NVIDIA GTC ships NemoClaw as a corporate response to the agentic security problem. The month closes with DORA Register of Information delivered by thousands of entities before 31 March, and VMware Aria Operations exploited in its CISA KEV add.

Patch Tuesday March 2026 — no in-the-wild zero-days, but XBOW takes the CVSS 9.8

10 March. Microsoft publishes the March rollup with 77 own CVEs (84 with Adobe in parallel), of which two are publicly disclosed without active exploitation at release:

CVE-2026-21262 — Microsoft SQL Server elevation of privilege (CVSS 8.8). An authenticated user can escalate to sysadmin. The public disclosure didn’t come from an advisory; it came from a technical article (“Packaging Permissions in Stored Procedures”) by Erland Sommarskog, whom Microsoft credits as discoverer. Category: improper access control in stored procedures with escalated privileges.
CVE-2026-26127 — .NET denial of service (CVSS 7.5). Out-of-bounds read exploitable over the network without authentication. No RCE, just DoS.

Three critical non-zero-day CVEs worth highlighting:

CVE-2026-26110 and CVE-2026-26113 — two RCEs in Microsoft Office exploitable via preview pane. The “opening the email is enough” pattern stays as a vector.
CVE-2026-26144 — Excel information disclosure with a specific exfiltration vector toward Copilot. The new face: bugs in Office components with direct Copilot implications, not just data-at-rest but data-in-prompt.

The month’s bug is discovered by an agent:

CVE-2026-21536 — unauthenticated RCE in the Microsoft Devices Pricing Program (CVSS 9.8). Unrestricted file upload + remote execution without user interaction and low attack complexity. Discovered by XBOW, an autonomous offensive AI agent that holds the #1 spot on HackerOne US after 90 days of activity and ~1,060 vulnerabilities reported. Microsoft mitigated server-side before Patch Tuesday — customers don’t have to apply anything.

The operational news is two-fold. First, the severity: Microsoft’s quarterly RCE is found by an agent, not a human. Second, the baseline: if an autonomous agent is covering the public bug bounty space at 85x the rate of a senior pentester per XBOW’s benchmarks, the bugs discovered / month curve will tilt upward during 2026. The defender gets patches; the attacker with budget can also buy equivalent tooling. The only thing this doesn’t change is the priority pattern: the patch lands, it has to be applied, no in-the-wild zero-day this month.

Source: https://msrc.microsoft.com/update-guide/ · https://krebsonsecurity.com/2026/03/microsoft-patch-tuesday-march-2026-edition/ · https://xbow.com/blog/three-rce-vulnerabilities-in-microsoft-identified-xbow

CVE-2026-33032 — nginx-ui MCPwn, takeover in two requests

15 March. nginx-ui publishes version 2.3.4 with the patch for CVE-2026-33032 — codename MCPwn, assigned by Pluto Security. CVSS 9.8.

The bug: nginx-ui’s MCP integration exposes two endpoints, /mcp and /mcp_message. /mcp carries AuthRequired() middleware. /mcp_message carries only an IP allowlist, no auth middleware. And /mcp_message is the one serving the 12 tools that perform destructive operations: config reload, modification, command execution.

The exploitation chain is trivial:

1. Attacker with network access opens SSE against /mcp
2. Receives a valid sessionID (no auth required because /mcp delivers it
   before checking anything useful for destructive tools)
3. Calls /mcp_message with the sessionID — no auth, only IP allowlist on
   default allow-all
4. Any of the 12 tools is available: reload nginx, rewrite config,
   exec system commands

Two HTTP requests, full takeover. Shodan reports 2,600 publicly exposed instances vulnerable. Pluto Security lists it among the 31 vulnerabilities actively exploited during March 2026. The CISA KEV entry lands in the following weeks.

The bug is at once a bug and a design choice: the pattern of exposing a shell-equivalent tool API over HTTP without the auth middleware covering it is the dominant MCP bug category as of Q1 2026 (March’s technical post covers the full ecosystem). The recommended fix, adding middleware.AuthRequired() to /mcp_message and changing the default allowlist from allow-all to deny-all, is in the order of five lines in the nginx-ui codebase. The severity isn’t in the difficulty of the fix; it’s in the ease of making the bug.

Source: https://www.rapid7.com/blog/post/etr-cve-2026-33032-nginx-ui-missing-mcp-authentication/ · https://www.picussecurity.com/resource/blog/cve-2026-33032-mcpwn-how-a-missing-middleware-call-in-nginx-ui-hands-attackers-full-web-server-takeover

VMware Aria Operations CVE-2026-22719 — CISA KEV on 3 March

3 March. CISA adds CVE-2026-22719 to the KEV catalog citing active exploitation. CVSS 8.1. Command injection in VMware Aria Operations exploitable by an unauth attacker during the support-assisted product migration flow. Initial disclosure is from 24 February as part of Broadcom’s VMSA-2026-0001 advisory.

Broadcom qualifies it as “aware of reports of potential exploitation” but “cannot independently confirm their validity”; CISA skips the qualification and puts it in KEV with a 24 March deadline for the Federal Civilian Executive Branch.

The workaround for customers who can’t patch immediately: a shell script aria-ops-rce-workaround.sh running as root on each Aria Operations Virtual Appliance node. The “vendor publishes a script the sysadmin runs as root with curl/bash” pattern remains acceptable during active incidents in 2026 — which says more about the state of practice than about the risk of the script itself.

Source: https://thehackernews.com/2026/03/cisa-adds-actively-exploited-vmware.html · https://www.securityweek.com/vmware-aria-operations-vulnerability-exploited-in-the-wild/

LiteLLM supply chain (TeamPCP) — the AI Gateway as a pivot into the infra

24 March, 10:39 UTC. Versions litellm==1.82.7 and litellm==1.82.8 appear on PyPI with malicious payload. The group TeamPCP — also tracked as PCPcat / Persy_PCP / ShellForce / DeadCatx3 — had compromised the maintainer’s PyPI credentials five days earlier through a prior compromise of the Trivy scanner (19 March, 17:43 UTC: they rewrite Git tags in aquasecurity/trivy-action with the same payload). The malicious packages live on PyPI ~3 hours before PyPI quarantines them. On 23 March the same cluster attacks Checkmarx KICS with C2 at checkmarx.zone.

Version 1.82.8 introduces an evasive execution mechanism: a litellm_init.pth file in site-packages that Python executes automatically on starting any process, whether LiteLLM is imported or not. Three-stage payload: (1) credential harvester over SSH keys, AWS/GCP/Azure configs, crypto wallets and .env files; (2) Kubernetes lateral movement via privileged pods; (3) persistent backdoor via systemd with C2 for additional payloads.

Structural read: the playbook isn’t zero-day against the product. It’s compromise of security products (Trivy, Checkmarx) to use them as ramps toward downstream targets. The tools a developer installs to defend themselves become the vector. The AI gateway stops being just a proxy with credentials: it’s a pivot point into the infrastructure that hosts it. It’s the first publicly documented multi-ecosystem operation covering PyPI + npm + Docker Hub + GitHub Actions + OpenVSX in a single campaign.

Source: https://docs.litellm.ai/blog/security-update-march-2026 · https://www.trendmicro.com/en_us/research/26/c/inside-litellm-supply-chain-compromise.html · https://snyk.io/blog/poisoned-security-scanner-backdooring-litellm/ · https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/ · https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/

Mandiant M-Trends 2026 — 22 seconds to ransomware handoff

March 2026. Google Cloud / Mandiant publishes M-Trends 2026, based on 500,000+ hours of incident response during 2025. The number that will circulate in Q2 presentations:

Median initial access → ransomware hand-off dropped from >8 hours in 2022 to 22 seconds in 2025 in some observed cases.

That’s cases, not absolute median. But the direction is clear: the operational attacker is faster than in any previous year. The reason is that initial access moves from “human attacker exploring” to “operator with an industrialised playbook and proprietary tooling that fires the handoff to a ransomware affiliate as soon as the session is hot”.

Other pieces of the report:

AI-aware malware. Mandiant documents families like PROMPTFLUX and PROMPTSTEAL that query LLMs at runtime to evade detection. It’s not AI-generated malware; it’s malware that does inference at execution time to make decisions. The category is starting to have its own name.
Distillation attacks. IP exfiltration where the attacker extracts proprietary logic and training data from high-value models. A category arXiv has been publishing on since 2024; M-Trends formalises it as an IP theft vector in the report.
Recovery denial as explicit tactic. Operators like REDBIKE (Akira) and AGENDA (Qilin) deliberately attack the infrastructure the victim needs to recover — backups, identity services, virtualization management — before encrypting production. The consequence: incidents measured in “hours to restore” in 2023 are measured in “days to restore + decision to pay” in 2025.
Initial vector — exploitation of vulnerabilities remains the most common initial access (category described in the report), above phishing.

The report is the first quantitative 2026 source we’ll be citing for the rest of the year.

Source: https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026/ · https://complexdiscovery.com/twenty-two-seconds-to-hand-off-inside-mandiants-m-trends-2026-findings/

NVIDIA GTC 2026 — NemoClaw and agentic security as a commercial category

16-19 March. NVIDIA GTC San Jose 2026 — Jensen Huang keynote, announcements aligned with the agentic cycle. The AI security block:

NemoClaw — security stack for agentic AI. Combines OpenShell (open-source runtime for sandboxed agent execution), policy enforcement, network guardrails and a privacy router. Policy-based security, network and privacy guardrails, monitoring of the agent’s reasoning chain to identify out-of-policy actions.
NVIDIA OpenClaw — definition of “claw” as autonomous agent, a parallel brand to Anthropic’s positioning with MCP and OpenAI’s with its Agents. NemoClaw is the first reference implementation.
NVIDIA Nemotron local models on DGX Spark / RTX PCs. Local inference with privacy/cost benefits, aimed at hospitals / banks / regulated sectors that don’t want an external API.

Operational read: agentic security moves from being a category of research and startups (TrueFoundry, AgentSeal, Invariant) to having a product from the largest AI company in the market. The underlying hypothesis — that production agents need a runtime layer separate from the model for policy enforcement — is now signed by Anthropic with ASL frameworks, NVIDIA with NemoClaw, AWS with Bedrock Guardrails, Microsoft with Copilot Studio governance. The approaches differ; the conviction that the layer is needed is already vendor consensus.

The open question: if the guardrail lives in the wrapper that NVIDIA / AWS / Microsoft sell, the compensatory control depends on the vendor. The alternative, an open standard for agent guardrails, doesn’t exist as of Q1 2026. For a CISO planning 2027, the decision of which agentic security stack has the same shelf life as which SIEM a decade ago.

Source: https://blogs.nvidia.com/blog/gtc-2026-news/ · https://www.sdxcentral.com/news/nvidia-details-nemoclaw-security-guardrails-in-wake-of-ai-agent-concerns/

CrowdStrike Global Threat Report 2026 — eCrime breakout 29 minutes, AI ops +89%

24 February (published, echo in March). CrowdStrike publishes the 2026 Global Threat Report. Headline numbers:

eCrime average breakout time: 29 minutes in 2025. Fastest observed: 27 seconds. Breakout time is the time between the first intrusion and lateral movement — the real window the defender has to detect and respond before the attack expands.
AI-enabled adversaries +89% YoY. Documented operations using AI for recon, credential theft, evasion, social engineering. It’s the number complementary to Mandiant’s 22 seconds — the attacker is faster because they automate with LLMs.
Adversaries exploiting AI systems. Prompt injections sent against GenAI tools in 90+ organisations and abuse of AI development platforms for staging. The attacker doesn’t only use AI; they attack the defender’s AI deployment.
Zero-days as initial access vector: 42% of vulnerabilities exploited in documented intrusions were used before public disclosure. That is, nearly half of CrowdStrike’s observed in-the-wild exploitations in 2025 were against bugs not yet documented in NVD.
Cloud intrusions +37% global and +266% on state-nexus operations aimed at cloud for intel collection.

Combined with Mandiant, the operational Q1 2026 headline is: the attacker’s time curve has collapsed and the attacker’s AI usage curve has spiked. The defender’s curve, per both reports, hasn’t moved at the same rate.

Source: https://www.crowdstrike.com/en-us/global-threat-report/ · https://www.crowdstrike.com/en-us/blog/crowdstrike-2026-global-threat-report-findings/

DORA — Register of Information with 31 March deadline and active enforcement

March 2026. First full cycle of the Register of Information (RoI) under DORA after one year of applicability. The RoI is the mandatory inventory every financial entity has to report to its NCA covering all ICT services contracts with third-party providers (Art. 28 §3 of Regulation 2022/2554). Reporting period 1 January to 21 March (or next working day); reference date 31 December 2025; xBRL-CSV format with table-oriented layout.

Deadlines vary by jurisdiction within March. Spain included in the cycle:

Country	Deadline / window
Austria (FMA)	16 Feb to 13 Mar
Luxembourg (CAA, insurance)	1 Mar
Netherlands (DNB)	20 Mar
Germany (BaFin)	9 Mar to 30 Mar
Ireland (CBI)	2 Mar to 31 Mar
Italy (IVASS)	31 Mar
Luxembourg (CSSF)	11 Feb to 31 Mar
ESA-level central submission	31 Mar

The operational point: 2026 marks the start of real active enforcement. NCAs and ESAs (EBA, EIOPA, ESMA) move from “review paperwork” to “demand proof” — real-time evidence of resilience, automated reporting, demonstrable control over ICT risk. The first formal enforcement actions over reporting failures are expected during 2026.

The sanction framework: up to 2% of global annual turnover or 10M EUR, whichever is greater. Individual fines up to 1M EUR. For critical ICT third-party providers: up to 5M EUR + 1% of daily global turnover per day of non-compliance up to six months. Plus service suspension, on-site inspections, public disclosure of breaches.

For Spanish financial entities in DORA scope, coordinating with NIS2 (transposed in Spain via LO X/2025 during H2 2025) and with ENS remains the quarter’s work. What we do see in February-March: two-thirds of large entities filing incomplete RoIs on the first try, returned for completion. Public-side banking (systemic entities) reports with more structure than insurance / pension funds.

Source: https://www.dnb.nl/en/sector-news/supervision-2026/dora-reporting-dora-registers-of-information-in-march-2026/ · https://www.regulation-dora.eu/blog/dora-2026-enforcement-what-changes

Anthropic — Claude Dispatch and Agent Teams in Claude Code

March 2026. Anthropic opens Claude Dispatch as a research preview on macOS. The product: remote computer control via QR-code pairing between iPhone and Mac. The user delegates a task from the phone (compile a report, organise files, browsing); Claude executes autonomously on the user’s computer; the iPhone streams progress. Initial rollout to Max subscribers, then to Pro.

The parallel piece: Agent Teams in Claude Code. Multi-agent architecture with parallel execution, agent-to-agent communication via shared task lists, dependency tracking between subtasks. The pattern of an agent coordinating subagents with specialised tools — present in research since 2023 (AutoGen, AgentScope) and in spot products in 2024-2025 — enters as a first-class feature in the most used client for developer agents.

Cyber read: both products expand the agent’s blast radius — Dispatch gives the model physical control over the user’s desktop, Agent Teams lets a parent agent escalate to multiple sub-agents with their own tools. The toxic flow and MCP poisoning surface that the March technical post describes applies with a multiplier to Agent Teams: each subagent is an MCP host with its own server set, its own tokens, its own context. The session stops being the unit of isolation.

For CISOs with Claude Code in the team, the Q2 questions are: how do I limit tokens and scopes per subagent? How do I audit tool calls between agents? How do I shut down the flow if one of the subagents passes through a compromised MCP server? The answers aren’t in the documentation at March close.

Source: https://anthemcreation.com/en/artificial-intelligence/claude-march-2026-computer-use-dispatch-anthropic-updates/

OpenAI — GPT-5.4 with native computer use and reinforced cyber safeguards

6 March. OpenAI announces GPT-5.4 — flagship with improvements in reasoning, coding and agent workflows on top of GPT-5.3-Codex. Security headline number: individual claims 33% less likely to be false and full responses 18% less likely to contain any error vs GPT-5.2. It’s the first time OpenAI publishes concrete hallucination deltas in a main release.

Security detail:

Native computer-use capability as the first general-purpose model — the ChatGPT Agent / Operator functionality is integrated into the base model. Implication: any GPT-5.4 deployment via API inherits the browsing and remote-action capability that was previously opt-in.
Expanded cyber safety systems, monitoring tools, trusted access controls, request blocking on Zero Data Retention surfaces for high-risk activity.
Strengthened safeguards while preparing GPT-5.4 for release — generic phrasing, no public framework equivalent to Anthropic’s RSP in granularity.

The Q1-Q2 2026 model succession: GPT-5.4 (Mar) → GPT-5.5 + GPT-5.5-Cyber (Apr-May) — the latter trained specifically for defensive tasks with expanded permissiveness, accessible only to vetted cybersecurity teams. The “model with a Cyber sibling for restricted use” pattern is new: it replicates the capability gating model Anthropic had suggested with trusted access in its Responsible Scaling Policy v3.

Source: https://www.helpnetsecurity.com/2026/03/06/openai-chatgpt-gpt%E2%80%915-4-model-release/ · https://openai.com/index/gpt-5-5-with-trusted-access-for-cyber/

CISA KEV March — adds of the month

20 March. CISA adds five vulnerabilities to KEV based on active exploitation evidence:

CVE-2025-31277 — Apple multiple products buffer overflow (published in 2025, exploit observed in 2026).
CVE-2025-32432 — Craft CMS code injection. Vector against public sites.
CVE-2025-43510 — Apple multiple products improper locking.
CVE-2025-43520 — Apple multiple products classic buffer overflow.
CVE-2025-54068 — Laravel Livewire code injection.

On top of the CVE-2026-22719 entry (VMware Aria Operations, 3 March) and the upcoming CVE-2026-33032 entry (nginx-ui MCPwn, lands in April), the month accumulates public exploitation against VMware management plane, Apple desktop/mobile ecosystem, PHP application frameworks and network infrastructure WebUIs. The four categories reflect surfaces with a high exposure baseline and uneven patch hygiene.

CVE-2025-66376 (Zimbra) also appears in mid-March KEV adds, attributed to an actor targeting Ukrainian entities — pattern seen in H2 2025 with the same target category.

Source: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Rest of the month

Apple iOS 18.7 / 19.x patch wave (mid-March). Apple publishes supplementary patches over the iOS 19 line with WebKit-category and kernel CVEs. No attributed in-the-wild zero-day this month, but the AirPlay category appears again in the changelog (2025 pattern).
Google Chrome 134 → 135 stable with the quarterly security batch. No ForumTroll-tier public exploitation confirmed this month.
MITRE Hack the Capitol 2026 (mid-March). Policy + research event. Public discussions on AI agent governance, agentic incident response as an emerging category, and NIST’s role in AI red teaming frameworks post-NIST AI 100-1.
Akamai / Cloudflare DDoS Q1 reports. Continuation of the AI-augmented DDoS curve (AI-managed botnets) that ENISA started flagging as a trend at the end of 2025. Peak volumes keep rising; the patterns (multi-vector with adaptive rotation) aren’t new, but the botnet’s reaction speed to defender mitigation is.
EBA / EIOPA / ESMA — Joint Committee report on DORA first year (end of March / early April). Retrospective on 2025 lessons with focus on TLPT framework, critical ICT TPP designation, and implementation gaps detected during Q3-Q4 2025 inspections.

Pattern of the month

March 2026 in one phrase: the attacker measures in seconds what the defender measures in sprints. 22 seconds to ransomware handoff (Mandiant), 27 seconds breakout time (CrowdStrike), 2 HTTP requests to takeover (MCPwn), 28 minutes to CVSS 9.8 (XBOW). The defender’s time — monthly Patch Tuesday, annual RoI, two-week sprints, quarterly audits — hasn’t collapsed at the same rate.

What this changes for the operator in Q2 2026:

Mean time to patch high/critical remains the key metric. If the attacker’s breakout time is in minutes and the operator’s patch SLA is in weeks, the asymmetry is structural.
Agentic posture management enters as a control category. The speed at which NemoClaw / OpenShell / equivalents get adopted is the speed at which the agentic surface stops being default-open.
Explicit inventory of MCP servers by team and by user is the Q1 2026 equivalent of the 2021-2022 SaaS app inventory. If you don’t know which servers each developer runs, you can’t protect anything this month’s technical post describes.
DORA RoI isn’t a paperwork exercise. Entities that pass the first cycle with a complete and consistent RoI will be better positioned for the second. The ad-hoc RoI ones will receive specific requests from NCAs during Q2.

April continues with AI Act Annex III prep (four months to high-risk obligations on 2 August 2026), Pwn2Own Berlin in May, a possible MCP spec breakage in the 2026-Hx revision, and the trail of KEV adds from MCPwn arriving in the first weeks.